In most cases you have to sign your code in order to get it installed on the operating system. You can sign your code using a self-signed certificate or using a certificate issued by a publicly-trusted CA.

Due to the costs of buying a code signing certificate from a publicly-trusted CA, some users will decide to try a self-signed certificate. Here is what you need to consider.

Self-Signed Certificate:

  • Issued using software that the user has and controls
  • Signatures will provide a trust warning indicating that there was an un-verified publisher and will  display “Unknown Publisher”
  • Compromised certificates cannot be revoked and could harm the users of your software

screenshot of security warning

Certificates Issued from a Publicly-Trusted CA:

  • CA performs identity verification which is displayed in the trust dialogue
  • Compromised certificates can be revoked and if time-stamping was used code signed before revocation will remain trusted

For user trust and the longevity of your code, it is recommended that you use a certificate issued from a publicly-trusted CA.

This is the seventh post in our code-signing. Check out the full list to read past entries and see what’s upcoming.

Bruce Morton

Bruce Morton

Bruce Morton is a pioneering figure in the PKI and digital certificate industry. He currently serves as Director for Certificate Services at Entrust Datacard, where he has been employed since 1999. His day-to-day responsibilities include managing standards implementations, overseeing Entrust Datacard’s policy authority, and monitoring Entrust Certificate Service for industry compliance.